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Abstract 

This work is based on the proposal of a deterministic randomness extractor of a random 
Difhe-Hellman element defined over two prime order multiplicative subgroups of a finite 
fields Fpn, Gi and G 2 . We show that the least significant bits of a random element in 
Gi * G 2 , are indistinguishable from a uniform bit-string of the same length. 

One of the main application of this extractor is to replace the use of hash functions in pairing 
by the use of a good deterministic randomness extractor. 

Keywords: Finite fields, elliptic curves, randomness extractor, key derivation, bilinear 
sums. 


1 Introduction 

The shared element after a Diffie-Helmann exchange is E G, where G is a cyclic subgroup of 
a finite field. is indistinguishable from any other element of G under the decisionnal Difhe- 
Hellman (DDH) assumption [3]. This hypothesis argues that, given two distribution ( 9 “, 5 ^, 3 “^) 
and {g°‘ 1 , g'^) there is no efficient algorithm that can distinguish them. However, the encryp¬ 

tion key should be indistinguishable from a random bit string having a uniform distribution.So 
we could not directly use 5 “^ as the encryption key. It is therefore of adequate arrangements to 
ensure the indistinguishability of the key such as hash functions, pseudo-random functions or 
random extractors. 

Deterministic random extractor have been introduced in complexity theory by Trevisan and 
Vadhan m- Most of the work on deterministic extractors using exponential sums for their 
security proof work with simple exponential sums [3 na HI im US]. Here we introduce de¬ 
terministic random extractors that extract a perfectly random bit string of an element derived 
from the combination of two separate source. 

Related work 

In 1998, Boneh et al. [3 show that calculate the k-most significant bits of a secrete is also 
difficult as to calculate the common secret .The authors rely on Hidden Number Problem. 
Hastad et al. m propose random extractor based on the probabilistic Leftover Hash Lemma, 
capable of removing all of the entropy random source having sufficient min-entropy. This tech¬ 
nique and its variants, however, requires the use of hash functions and perfect random. 

The particularity of these extractors is that they belong to the random oracle model. Thus, 
indistinguishability can not be proven under the DDH assumption unless you add a random 
oracle. However, these are considered some limitations in practice. 
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In 2008, Fouque et al. [13] propose a simple extractor capable of extracting the k least signifi¬ 
cant bits or the k most significant bits of a strong random element issued to the Diffie-Hellman 
exchange on a sufficent big subgroup of Zp. They rely on exponential sums to bound the sta¬ 
tistical distance between two variable. 

In 2009, Chevalier et al. [TO] also use exponential sums but bound the collision probability of 
bits extracted to prove the security of the extractor.They use the Vinogradov inequality to limit 
the incomplete character sums. They improve the results of Fouque by providing an extractor 
capable of extracting up to two times more bits. They also feature extractor on the group of 
points of an elliptic curve defined over a finite field. However, their work was limited to the 
finite prime fields. 

In 2011,Ciss et al. m extend the work of Chevalier over finite non prime fields and elliptic 
curves over F^n and more particularly on binary finite fields. They use the Winterhof inequality 
to limit the incomplete character sums. 

All that previous work are based on the caracter model, using single character sums, we 
focus on the extraction of a random string of bits from a random element from multiple source 
in particular, two source. 

Our work 

We proposed a deterministic random extractor under the DDH asumption, which maps two 
multiplicative subgroup of a finite field to the set {0,1}^, permitting to extract the /c-least 
significant bits of a random element issue of the two subgroup. We use the double exponential 
sums to bound the collision probability and give a security proof of our extractor. 

Organization of work 

This work is organize as follow: In section 2, we recall some definition and results about ran¬ 
domness, character sums and bilinear character sums. In section 3, we present and analyze our 
randomness extractor. In section 4, we finish by giving some applications of our extractor. 

2 Preliminaries 

Measures of randomness In this section, we introduce some definitions and results on the mea¬ 
surement parameters of randomness [18] and on character sums. 


2.1 Measures of randomness 
Definition 2.1. Guessing probability 

Let X be a set of cardinality \X\ and X, an X-valued random variable. 

The guessing probability '^{X) of X is given by: 

7 (A) = max{P[X = u] : u G X} 

Definition 2.2. collision probability 

Let X be a finite set and X, an X-valued random variable. The collision probability of X, 
denoted by Col{X), is the probability 

Col{X) = Pr[X = X'] = Y^ Pr[X = xf 
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Definition 2.3. Statistical distance 

Let X be a finite set. If X and Y are X-valued random variables, then the statistical distance 
SD{X,Y) between X and Y is defined as 

SD{X,Y) = \Pr[X = x]- Pr[Y = x]| 

Let Ux be a random variable uniformly distributed on X and 5 < 1 a positive real number. 
Then a random variable X on Ai is said to be (5 — uniform if 

SD{X, Ux) < -5 

Lemma 2.1. Relation between SD and Col(X) 

Let X be a random variable over a finite set X of size \X\ and A = SD{X, Us) be the statistical 
distance between X and Ux, where Ux is a uniformly distributed random variable over X. Then, 

1 + 4A^ 

ColiX) > 

Definition 2.4. Deterministic (y,5)-extractor 

Let X and y be two finite sets. Let Ext be a function Ext : X ^ y. We say that Ext is a 
deterministic (y, 5)-extractor for X if Ext{Ux) is 5-uniform on y. That is 

SD{Ext{Ux),Uy) < 5 

Definition 2.5. Two-sources-extractor 
Let X, y and Z be finite sets. The function 

F : Xxy Z is a two-sources-extractor if the distribution F{X,Y) is 5-close to the uniform 
distribution Uz G Z for every uniformly distributed random variables X G X and Y G y 

2.2 Characters 

Definition 2.6. Let G be an abelian group. A character ofG is a homomorphism from G —)■ C*. 
A character is trivial if it is identically 1. We denote the trivial character by Xq oripQ. 

Definition 2.7. Let Fg be a given finite field. An additive character ■0 : F+ —)■ C is a character 
with Fq considered as an additive group. A multiplicative character X : F* —)■ C is a character 
with F* = Fq —{0} considered as a multiplicative group. We extend X to Fq by defining X{0) = 1 
if X is trivial, and X{0) =0 otherwise. Note that the extended X still preserves multiplication. 

2.3 Exponential sums over finite fields 

The main interests of exponential sums is that they allows to construct some caracteristic func¬ 
tions and in some cases we know good bounds for them. The use of these caracteristic functions 
can permit to evaluate the size of these sets. 

We focus on certain character sums, those involving the character Cp define as it follows. 

Theorem 2.1. Multiplicative characters o/Fq 
The multiplicative characters o/Fq are given by: 

Vx G Fq, eq{x) = e~T~ g C* 

Theorem 2.2. Additive characters o/Fq 

Suppose q = p^ with p prime. The additive characters of Fq are given by 
Tp{x) = ep{Tr{x)) where Tr{x) = x -\- x^ x^ is the trace of x. 
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2.3.1 Single character sums 

Let p be a prime number, G a multiplicative subgroup of F* . 

For all a G Fp*, let introduce the following notation: 

S{a,G) = ep{ax) 

x£G 

Lemma 2.2. Let p he a prime number, G a multiplicative subgroup o/F* . 

(1) ifa = 0, YZ=o^pi(^^) = P 

(2) For all a Ylx=o ^ 

(3) For all xq G G and all a G F*, S{axo,G) = S{a,G) 


Proof. Follows [21], pp69-70 □ 

Theorem 2.3. Poly a-Vinogradov bound 

Let p be a prime number, G a multiplicative subgroup of F* . 

For all a G F*; 

xeG 

Proof. See [2T] for the proof □ 

Theorem 2.4. Winterhof bound 

Let V be an additive subgroup of ¥pn and let -if an additive caracter of Fp~. Then 


< Vp 


Proof. See [20] for the proof 


aeWpTi x£V 


< p 


n 


2.3.2 Bilinear character sums 

Let p be a prime number, G, H be two multiplicative subgroups of F* . 
For all a G Fp*, let introduce the following notation: 

S{a, (G, H)) = '^'^ ep{axy) 

x£G y£H 

Lemma 2.3. Let p be prime and, G and H two subsets o/F*. Then 


max 

(n,p)=l 


^ ip\G\\H\)'^ 

x£G y£H 


□ 


Proof. See mm 


□ 
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Lemma 2.4. For any subsets G, H o/F*n and for any complex coefficients ax, fly with \ax\ < 1, 
\fiy\ < 1, the following bound holds 

I a,/3,V'(rc!/)l < (p”|0||if|)i 

xgG y(zH 


2.4 Exponential sums over points of elliptic curves 
2.4.1 Elliptic curves 

Let £ be an elliptic curve over Fp, p >3 defined by an affine Weieirstrass equation of the form 

+ ax + b (1) 

with coefficients a,b £ Fp. It is known that the set £’(Fp) of Fp-rational points of £, with the 
point at infinity O as the neutral element, forms an abelian group. The group law operation is 
denoted by ©. Every point P / O € T(Fp) is denote by P = (x(P),y(P)). Given an integer n 
and a point P G T(Fp), we write nP for the sum of n copies of P 
nP = P©P©...©P, n copies. 


2.4.2 Bilinear sums over additive character 

Given two subsets V, Q of T(Fp), and arbitrary complex functions u, v supported on V and Q 
we concider the bilinear sums of additive characters. 

V.,v(V^,P,Q) = EE a(P)v(Q)V’(x(P©Q)) 

PePQeQ 

Lemma 2.5. Let £ he an elliptic curve defined over Fg where q = p'^, with n > 1 and let 
Y, k(P)l^ < R ond ^ |v(Q)|2 < T 
PeP QgQ 

Then, uniformly over all nontrivial additive character if of Fg 


|v,,v(V’,P,Q)l « 


Proof. See [T] 


□ 


3 Randomness extractor 

3.1 Randomness extractor in finite fields 

We propose and prove the security of a simple deterministic randomness extractor for two sub¬ 
group Gi and G 2 of F* where q = p^, with p prime and n > 1. The main theorem of this 
section states that the fe-least significant bits of a random element in (Gi,G 2 ) are close to a 
truly random group-element in {0,1}^. Our approach is from the model based on caracter sums. 
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3.1.1 Randomness extraction in Fp 

Let Fp be a finite prime field such that \p\ = m. 

Let Gi and G 2 be two multiplicative subgroup of F* of order qi (resp.g 2 ), with |gi| = li, 
\Q2\ = h- 

Let Ugi (resp. UG 2 ) be a random variable uniformly distributed on Gi (resp.G 2 ), and k a 
positive integer less than m. 


Definition 3.1. Extractor fk on Fp 
The extractor fk is defined as a function 


fk ■ G 1 XG 2 —)• { 0 , 1 }^ 
ixi,X2) I—^ lsbkixiX2) 

The following lemma shows that fk is a good randomness extractor. 


Lemma 3.1. Let p be a m-bits prime, Gi and G 2 be two multiplicative subgroups of¥* of order 
qi (resp.q 2 ), we denote |( 7 i| =li and \q 2 \ = h- 

Let Ugi (resp. UG 2 ) be a random variable uniformly distributed on Gi (resp.G 2 ), and k a pos¬ 
itive integer less than m. 

Let Uk be a random variable uniformly distributed on {0,1}^ 

Lf A = SD{fk{U g, ,UG 2 ),Uk) then 


2A < 



2 2M(log2(p))2 
qiq2 


fc+m+log2(m) —(^1 +I2) 

= 2 2 


Proof. Since fk{xi,X 2 ) = lsbfc(xiX 2 ), this means X 1 X 2 = 2^a + 6 or x'ix '2 = 2^a' + b' where 
0 < a, a' < 2^-^ et0<b,b' <2^ -1 

Thus X 1 X 2 — x'^X 2 = 2^(a — a') + (6 — b') . If lsbfc(xiX 2 ) and \sbk{x'iX 2 ) coincide then 
X 1 X 2 — x'^x '2 = 2^(a — a'). 

Let u = a — a' thus 0 < tt < 2™“^ 

Let us dehne K = 2^, uq = m.shm-k{p — 1), 
if re = 2'^Wm + ... + 2^wi + 2^wo , z = 2"^'Zm' + ... + 2^zi + 2^zo, and z < w then 
msbfc(2;) < msbA:(rc) 

Since 0<a,a'<p—1 therefore u < uq 
We introduce the following notation, 

S{a, (Gi,G 2 )) = E E ep(axiX2) 

xi^Gi X 2 GG 2 
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1 

We construct the caracteristic function, l{{xi,X 2 ),{x'i,x' 2 )-,u) = -^^ep(a(xiX 2 — x'ix '2 — 

^ a=0 

Ku)), by properties (1) and (2) of Lemma [221 

which is equal to 1 if X 1 X 2 — x'ix '2 = Ku mod (p) and 0 otherwise. Therefore, we can eval¬ 
uate Col{fk{Uci,Uc 2 )) where Uci (resp. UG 2 ) is uniformly distributed in Gi (resp. in G 2 )' 


Col{fk{UG„UG2)) 

|{((xi,X 2 ), {x[,X 2 )) G (Gi,G 2 )^ 3 tt < U 0 ,xiX 2 - x[x 2 = Ku mod (p)}| 


{qm? 

1 


E 


UO p—1 

E EE^ p(a(xiX 2 — x’ix '2 — Ku)) 


( 9192 ) P (j,^_j, 2 )g(Gi,G 2 )Ky 2 ) 6 (Gi,G 2 )«= 0 a =0 
Then we manipulate the sums, separate some terms (a = 0) and obtain: 

For a = 0, 

1 -I- 1 

comucuc,)) = E E E'=r(“) = ^ (•) 


For a G F*, 


(<7i Q2)^P 

WHM F (a:i,X 2 )e(Gi,G 2 ) K,x' 2 )G(Gi,G 2 ) «=0 


P-1 


p 


Col{fk{UGi,UG2)) = ^ ^ '^ep{a{xiX2-x[x2-Ku)) 


(a:i,X 2 )e(Gi,G 2 ) K,x' 2 )g(Gi,G 2 ) «=0 


p-1 


= (a a ^ ^ ep{axiX2) ^ ep{-ax[x'2)'^ep{-aKu) 

p a=l(xi,X 2 MGi,G 2 ) (x[x'^)g{Gi,G 2 ) u =0 

p-1 UO 

= 7-^ E (Gi, G2))5(-a, (Gi, G 2 )) V ep{-aKu) 

{qiq2)^P 

p-1 UQ 

= 7-^ E (Gi> ^ 2 ))!' epi-aKu) 

{qiq2)^P ^p 

We inject the result of (*) then, 

I -I 1 P 1 ^0 

GoI{MUg, , UG 2 )) = + 7 - ^ E (Gi, G 2 ))P ep{-aKu) 

We have 

p-1 UO 

EE» p{—aKu) 

a=l Li =0 
p-1 UO 

= EE^ p{—au), it comes from a change of variable {a' = Ka = 2^a mod (p), with gcd(2, p) = 


1 ). 


a=l Lt=0 


p -1 

E 


a=l 

sum. 


1 - ep{-a{uo -b 1 )) 
1 - ep{-a) 


, considere the fact that [ 0 , uq] is an interval, the sum is the geometric 


^ Z—,■ 


sin(^) 
a=l ^ P ' 


sin(^) 
a=l ^ P ' 


p -1 

2 


s2^i^i <piog,(p) 


P-1 

2 


a=l 
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Therefore 


ColiMUcUc,)) ^ (Gi,G2))pplog2(p) 

< ^ + 7— K;^{pqiq2plog2{p)) , by Lemma O 

p [qmyp 

^ 1 plog2(p) 

“ p qiq2 

We now use the Lemma 12.11 which gives a relation between the statistical distance A of 
fk{UGi,UG 2 ) with the uniform distribution and the collision probability: 

Col{fk{UGi,UG 2 )) = • The previous upper bound, combined with some manipulations, 

gives: 


2A < ^2KCoHMUo ,, t/a)) - 1 < □ 

3.1.2 Randomness extraction in F^n 

Consider the finite field Fpn, where p is prime and n is a positive integer greather than 1. 

Fpn is a n-dimensional vector space over Fp. Let {oi, 02 , • • •, On} be a basis of F^n over Fp. 
That means, every element x and y in Fpn can be represented in the form 
X = xiai + X 2 Ci 2 + ... + XnCtn, et x' = x\a\ + X 2 a 2 + •.. + x'^an- where Xi (resp. x') G Fp™. 
Let Gi and G 2 be two multiplicative subgroups of F*n of order qi (resp.g 2)5 denote |gi| = /i, 

\q2\ = h- 

Let Ugi (resp. UG 2 ) be a random variable uniformly distributed on Gi (resp.G 2 ), and k a 
positive integer less than n. 


Definition 3.2. Extractor on Fp^ 

The extractor is defined as a function 


Fk : G 1 XG 2 ^ { 0 , 1 }"= 

(x, x') I—^ (xix'i, X2X2, ..., Xkx'k) 

The following lemma shows that Fk is a good randomness extractor. 


Lemma 3.2. Let p be a m-bits prime. Let Gi and G 2 be two multiplicative subgroups of¥*n 
of order qi (resp.q 2 ), we denote |gi| =li, |(/ 2 | = h- 

Let Ugi (resp. UG 2 ) ® random variable uniformly distributed on Gi (resp.G 2 ), and k a 
positive integer less than m. Let Uk be a random variable uniformly distributed on {0,1}^ 

If A = SD{Fk{U g, ,UG 2 ),Uk) then 


A < 


n+fc—2 


fcm+nm — (i 1 +^ 0 + 2 ) 

= 2-2- 















Proof. Let {x,P),{y,z) E (Gi,G 2 )^ 

Let us introduce the notation 

T{a, (Gi,G 2 )) = E E 'ijj{axx') 

xGGi x'gG2 

Let us define the following sets 

R = {xfc+iXfc+iafc+i + Xfc+ 2 Xfc+ 2 «fc +2 • • ■ + XnX^an} , a subgroup of Fp.. 
C = {((x, x'), (y, z)) E (Gi, G2)^/3r E R, xx' - yz = r} 


|C| = 


1 


p" 


Y1 ^ ^ Y1 ^ia{xx'-yz-r)) 


xGGi,x'gG2 y&Gi,z£G2 reRa&¥pn 
we can evaluate the collision probability: 


CoI{FUUg„Ug,)) = 

1 


(gig 2 )V 


E 


Y1 ^ Y1 '^{a{xx' - yz - r)) 


{x,x')(i{Gi ,G 2 ) (y,^)e(Gi,G 2 ) r(^R a&p-n. 


1 


iqiq2yp"‘ 


E E ip{axx') E ifi-ayz) E 


a&Fpn (i,i')6(Gi,G2) 


(?;, 2 )g(Gi,G 2 ) 


r&R 


Then we manipulate the sums, separate some terms (a = 0) and obtain: 
For a = 0 

Col{F,{Ua„Ua,)) = , A,,.„ E E E E'»(») = :3 


{qmfp 


For a E F*„ 

Col{Fk{UG,,UG2)) = 


Then for all a E Fu 


aGFpn (x,x')e(Gi,G 2 ) (y, 2 )G(Gi,G 2 )r-Gi? 




(9iQ'2)V 


E E if{axx') E -ipi-ayz) E ijj{—ar) 


aGF;„ (x,x')G(Gi,G2) 


(j/,2)G(Gi,G2) 


rGi? 


Col{Fk{UG,,UG2)) = ^ + 


P^ (gi92)V 


E E V’(axx^) E ip{-ayz) E if{—ar) 


aGF* (x,x')e(Gi,G 2 ) 


(y,2)G(Gi,G2) 


rG-R 


Co((ftXG.,Cla)) = ^ + —^ |r(o,(G.,G2))pj:«(-«r) 

R vyiy 2 ; R 

CoUFkiUG ,, Gg,)) < —t + , by Lemma [23] and Theorem 12.41 

Go;(Ffc(17Gi,t/Gj)<4 + 7^ 

P'^ ( 9192 ) 

We now use the Lemma O which gives a relation between the statistical distance A of 
Fk{UGi, UG 2 ) with the uniform distribution Uk and the collision probability: 

Col{Fk{UG„UG2)) = ^ . 

2A < ^2>^.Col{Fk{UG„UG,)) - I 


A < 


nn+k 


< 


P‘ 


,n+k 


Aqiq2 V 2^9192 
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A < 


r)n-\-k—2 


am 


Therefore with some manipulations, we obtain the expected result: 

I jfi+k —2 

A < i - -= 2 


fcm+nm — (/j + ^2 + 2 ) 


QiQ2 


□ 


3.2 Randomness extraction in elliptic curves 
3.2.1 Randomness extractor in T(Fp) 

Definition 3.3. Let p be a prime greater than 5. Let £ he an elliptic curve over the finite field 
Fp and let V, Q be two subgroups of £{¥p). Let denote \V\ = qi and |Q| = q 2 - 
Then is define the function 


extrack '■ VxQ —)• {0,1}^ 

(P,Q) I— lsbkix(P).x{Q)) 

Lemma 3.3. We now show an equivalent of Lemma \3.1\ 

Let £ he an elliptic curve over the finite field Fp and let V, Q be two subgroups of £{¥p). Let 
denote \V\ = qi and |Q| = q 2 - Let Up and Uq be two random variables uniformly distributed in 
V and Q respectively. Let Uk be the uniform distribution in {0,1}^. Then 


A/ ^ TT X fc + n+log2(n)-(ii+i2+2) 

A{extrackiUp,UQ),Uk) « \ -= 2 2 

V 9192 

Proof. Let us define K = 2^, uq = uishm-kip ~ 1) 

Define the characteristic function 

1((P, Q), (A, B), u) = - “ x(A)x(B) — Ku) which is equal to 1 if V' = V’o and 

to 0 , otherwise. 


Let us compute the collision probablity 

Col{extrack{Up,UQ)) = tt^EEEEEE '0(x(P)x(Q) — x(A)x(B) — Ku) 

\Q1Q2) P p^pQ^QAepBeQip&^u<UQ 

Then we manipulate the sums, separate some terms {fj = fio) and obtain: 

Col{extrack{Up,UQ)) = j ^ ^EEEEEE i/^(x(P)x(Q) — x(A)x(B) — Ku) 


For {fi = fio), 
Col{extrack{Up,UQ)) = 


(9i92)^P 


1 


i/iei' P&V QeQ Ae'P bgQ m<«o 


E E E E E E 

■>p=ip0 PG'P QGQ AGf BgQ n<no 


(9i92)^P 


(9i92)^P 
uo + 1 


E E E E E E 

•0='i/)o PsP QgQ Ag'P BgQ u<uo 

EEEEEEi 

^l’='^po PgP QgQ AgT^’ BgQ tt<uo 


p 
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For (ij) 7 ^ V'o), 
Col{extrack{U-p,UQ)) = 

Then 

Col{extrack{U'p,UQ)) = ^ —h- 


{Q 1 Q 2 VP 


^ Y1 V'(a:(P)x(Q) - x(A)x(B) - Ku) 


QgQ A&V BgQ n<no 


p {gm^p 


^ Y1 ^{xiP)x{Q)-x{A)x{B)- 


Ku) 

■Uq + 1 ^ 1 


i/'^V'o Pg'P Q&QAeV b&Qu<uq 


p {qiq2fp 


V'(a;(P)x(Q)) ^ ^ V’(- 2 ;(A)x(b)) ^ i^{-Ku) 


i/'T^V'o P£'P QgQ 


AePBeQ 


U<UQ 


I E V^(a^(P)^(Q))ll ^ ^(-^(A)x(B))| xl:{-Ku) 

p \^i^2) PePQeQ AePBeQ «<«o 

■Uo + 1 _|_ 1 


P iQiQ2)‘^P 


E |V(V>,^,Q)P ^H-Ku) 


1 


Ip^lpo U<Uo 

E El V’(“Arn), by Lemma 1231 


1 

.<«. 

< —h 7 - 77 —P^iQ' 2 plog 2 (p), since it is shown that > > 'il){—Ku)< plognip) 

1 1 1 / N 

< - + 7-rPlog2(p) 

P iQiQ2) 

We now use the Lemma l2.II 

2A{extrack{U-p,UQ),Uk) « ■\J2^.Col{Fk{UGi,UG 2 )) - 1 


2A{extrack{Uv,UQ),Uk) « i ^ . P^og^ip) - 1 ) 


p (gm) 


Therefore with some manipulations, 

A{extrackiU'p,UQ),Uk) « 


2k ‘^plog2{p) fc + n+log2(~)-(ii+i2+2) 

-= 2 2 


9W2 


□ 


3.2.2 Randomness extractor in £{¥pn) 

Definition 3.4. Let p be a prime, p > 5. Let £ he an elliptic curve over the finite field Fpn. let 
V, Q be two subgroups of £{¥pn). Let denote \V\ = qi and |Q| = q 2 . 

Then is define the function 


Extrack '■ PxQ —{ 0 , 1 }^ 

(P,Q) I—^ lshk{x{P).x{Ql)) 


Where x(P).x(Q) = tioi + t 2«2 + t...+ tnOin 

Lemma 3.4. Let £ he an elliptic curve over the finite field F^n and let V, Q be two subgroups of 
£{¥pn). Let denote \V\ = qi and |Q| = q 2 - Let U-p and Uq be two random variables uniformly 
distributed in V and Q respectively. Let Lfk he the uniform distribution in {0,1}*^. Then 


A{Extrack{Ur,UQ),Uk) « 



= 2 


km + nm—(li + i 2 + 2) 
2 
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Proof. Using Lemma 12.51 and Theorem 12.41 the sketch of the proof is the same as those of 
Lemma 13.21 □ 


4 Application 

The first most well-known and use tools for the extraction phase of a key exchange protocol in 
order to create a secure chanal are hash function. Hash functions are the most aften adopted 
solution because of their flexibility and efficiency. However, they have a significant drawback. 
That is, the validity of this technique holds in the random oracle model only. 

Definitely the truncation of the bit-string of the random element is the most efficient randomness 
extractor, since it is deterministic and does not require any computation. 

The interest of studying randomness extraction has several cryptographic applications specially 
the randomness extraction from a point of elliptic curve. Some of these various applications 
are find as we have already said in key derivation function, key exchange protocols [12], design 
cryptographically secure pseudorandom number generator [T6]. 

Today the trend is towards cryptography identification and pairing on elliptic and hyperelliptic 
curves are widely used in this field, especially for key exchange between three entities and for 
authentication. Nevertheless, we find that the tools used in most of the protocols based on 
the pairing, in this case for authentication using hash functions in the extraction phase. The 
extractor on two sources would be good candidates to replace these functions. They are not 
only deterministic but also offer the possibility of increasing the randomness considering either 
one but two sources. 
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